February 26, 2021

Volume XI, Number 57


February 25, 2021

Subscribe to Latest Legal News and Analysis

February 24, 2021

Subscribe to Latest Legal News and Analysis

February 23, 2021

Subscribe to Latest Legal News and Analysis

It’s (Not) Academic: Cybersecurity Is a Must for Universities and Academic Medical Centers

Cutting-edge research institutions need cutting-edge cybersecurity to protect their IP and critical personal and financial data.  Universities hold vast repositories of valuable information, including student healthcare information, patient information from academic medical centers, and financial and personal data from applicants, donors, students, faculty, and staff.  So it’s no surprise hackers have been targeting universities lately—in fact, at least eight American universities (including Harvard, UC Berkeley, University of Maryland, and Indiana University) have announced cyber intrusions over the past two years.

With the cost of a data breach averaging $3.8 million,[1] universities cannot afford to pretend cybercrime won’t happen to them.  For institutions with health records, the financial costs can be even greater (as high as $360 per record!), due to the high value of health records on the internet’s black market, the “Dark Web.”

But, the dollars may not mean as much as the bad PR—having your institution’s name in national headlines, risking research funding from governments or corporate partners, losing protected and sensitive IP, fielding calls from angry donors, students, and parents whose personal information has been compromised, and defending multiple civil suits—all because the institution failed to assess its cyber liability.  (See additional information on assessing cyber liability).

For major research institutions holding valuable IP, health records, and grants for sensitive research, having a cybersecurity prevention and remediation plan is more than just a good idea, it’s an absolute must.  And these cybersecurity measures must extend beyond mere “compliance.”  The Federal Government will continue to create cybersecurity regulations, but their regulations never will keep up with the risks.  A university’s administration answers to the Federal Government, to its Board, to its donors, to the media, to its students and faculty, and to the general public. None of these constituencies will be calmed by minimal compliance with outdated regulations.

Instead, universities can address their cybersecurity risks with some initial measures to prevent intrusions and to minimize the damage if a hacker does get through:

    • Protections against Insider Threats: Attacks by insiders accounted for more than 50% of the cyberattacks in 2014. To help mitigate these threats, create an insider threat team and build a holistic approach to security—include staff from IT and technology, legal, physical security, and human resources. Emphasize training of employees, faculty, and administrators in basic cybersecurity awareness to instill habits that will better protect the institution.

    • Enhance Network Security Policies and Procedures: Implement security precautions to make a hack more difficult. For example: create enhanced protocols to prevent unauthorized access to devices and systems, including multi-factor authentication; provide broad and frequent updates to computers on-campus and for computers that regularly access campus networks; and prevent access to compromised sites by incorporating controls into your network.

    • Cyber Intrusion TestingWork with a vendor to test the institution’s current cybersecurity vulnerabilities and get advice on how to reduce those vulnerabilities.

    • Corrective Action Plan: —one that includes disclosure and mitigation efforts. Importantly, if an institution holds government contracts or grants, follow the required disclosure protocols for cyber intrusion (note that agencies may differ in their disclosure and mitigation requirements).

    • Cyber Insurance: —particularly those with academic medical centers and/or sensitive research programs—should ensure their policies are large enough to cover a worst-case scenario.While a comprehensive cybersecurity plan will require additional systematic and long-term efforts, taking these steps will at least keep an institution off of a hacker’s list of “low-hanging fruit.”

    [1] Ponemon Institute, Cost of Data Breach Study (2015).  Note this average does not include mega-breaches like those experienced by Home Depot, Target, or Sony Pictures.

    Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume V, Number 327



    About this Author

    Christine R. Couvillon, Government Contracts Attorney, Sheppard Mullin Law Firm

    Ms. Couvillon’s professional experience involves a wide variety of counseling, investigations, and litigation for government contractor clients.  She has conducted and assisted on internal  investigations for Office of Foreign Assets Control and False Claims Act liability, represented clients in claims negotiations and disputes before the Armed Services Board of Contract Appeals, and challenged and defended agency decisions on contract awards before the U.S. Government Accountability Office.  In addition, Ms. Couvillon has counseled clients on various regulatory and compliance questions,...

    Christine R. Couvillon